On 11/05/12 19:18 Tomas Doran wrote:
>
> On 11 May 2012, at 17:45, Robert Rothenberg wrote:
>
>> We're working on an application with a lot of users, and where the passwords
>> are encrypted (and future versions may also allow OpenID logins).
>>
>> Developers would like the ability for the "root" user to be able to become
>> another user, for the purposes of debugging problems that real users might
>> be having on a live system.
>>
>> How does one do this using the Authentication plugin?
>>
>> Obvious things to try like the $c->user($new_user) doesn't work, not does
>> the (internal) $c->set_authenticated($user, $real) method.
>>
>
> The recommended approach would be to keep $c->user 'pure', and to arrange to
> stash the current user in a top level base chain part, or top level auto.
>
> If everything then subsequently uses $c->stash->{current_user} - then you can
> do your sudo (or whatever other mechanism you may need in future) simply by
> swapping out the user here.
>
> This makes things a lot more pure - as the canonical user that $c->user will
> give you is (more) immutable..
>
> Also, if you swap the 'canonical' user part way through the request - when
> the session plugin comes to re-serialize the session at the end of request -
> you're pretty stuffed, as you're now writing out the wrong user… I.e.
> re-sudoing, or doing any root level action is likely to require you to log
> out and log in again - not what you actually want! :)
We don't mind having to log out and log back in again after sudoing.
I'm not looking forward to changing every use of $c->user in the code, and
concerned about how this might interact with any plugins that rely on $c->user.
Would you consider the ability to sudo a feature request for the
Authentication plugin? (with appropriate thoughts about the security
implications, of course).
Thanks,
Rob
_______________________________________________
List: [email protected]
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/[email protected]/
Dev site: http://dev.catalyst.perl.org/
